Malware Analysis Report

2025-04-14 08:19

Sample ID 250318-1jrtssx1g1
Target ORDER-984486-895432.js
SHA256 398e3d3d2ad8e2e91693c1682780d2352ebe962b67547af5c20735ae97ea94a9
Tags
asyncrat wshrat march-25 discovery execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

398e3d3d2ad8e2e91693c1682780d2352ebe962b67547af5c20735ae97ea94a9

Threat Level: Known bad

The file ORDER-984486-895432.js was found to be: Known bad.

Malicious Activity Summary

asyncrat wshrat march-25 discovery execution persistence rat trojan

AsyncRat

Wshrat family

Asyncrat family

WSHRAT

Async RAT payload

Blocklisted process makes network request

Loads dropped DLL

Checks computer location settings

Drops startup file

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Command and Scripting Interpreter: JavaScript

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Modifies registry class

Scheduled Task/Job: Scheduled Task

Script User-Agent

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-18 21:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-18 21:41

Reported

2025-03-18 21:43

Platform

win7-20240903-en

Max time kernel

149s

Max time network

161s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-984486-895432.js

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

WSHRAT

trojan wshrat

Wshrat family

wshrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" C:\Windows\System32\wscript.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|44BAD2C8|JSMURNPT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|44BAD2C8|JSMURNPT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|44BAD2C8|JSMURNPT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|44BAD2C8|JSMURNPT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|44BAD2C8|JSMURNPT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|44BAD2C8|JSMURNPT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|44BAD2C8|JSMURNPT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|44BAD2C8|JSMURNPT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|44BAD2C8|JSMURNPT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|44BAD2C8|JSMURNPT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|44BAD2C8|JSMURNPT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|44BAD2C8|JSMURNPT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|44BAD2C8|JSMURNPT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|44BAD2C8|JSMURNPT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|44BAD2C8|JSMURNPT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|44BAD2C8|JSMURNPT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|44BAD2C8|JSMURNPT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|44BAD2C8|JSMURNPT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|44BAD2C8|JSMURNPT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|44BAD2C8|JSMURNPT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|44BAD2C8|JSMURNPT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|44BAD2C8|JSMURNPT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|44BAD2C8|JSMURNPT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|44BAD2C8|JSMURNPT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/3/2025|JavaScript N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 348 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2360 wrote to memory of 348 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2360 wrote to memory of 348 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2360 wrote to memory of 380 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2360 wrote to memory of 380 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2360 wrote to memory of 380 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 380 wrote to memory of 2752 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\RDo.exe
PID 380 wrote to memory of 2752 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\RDo.exe
PID 380 wrote to memory of 2752 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\RDo.exe
PID 380 wrote to memory of 2752 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\RDo.exe
PID 348 wrote to memory of 2900 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 348 wrote to memory of 2900 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 348 wrote to memory of 2900 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 2752 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2988 wrote to memory of 524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2988 wrote to memory of 524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2988 wrote to memory of 524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1352 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1352 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1352 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1352 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1352 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
PID 1352 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
PID 1352 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
PID 1352 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
PID 1352 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
PID 1352 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
PID 1352 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-984486-895432.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\word.js"

C:\Users\Admin\AppData\Local\Temp\RDo.exe

"C:\Users\Admin\AppData\Local\Temp\RDo.exe"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\adobe.js"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpFF26.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 chongmei33.myddns.rocks udp
SE 46.246.82.67:7044 chongmei33.myddns.rocks tcp
SE 46.246.82.67:7044 chongmei33.myddns.rocks tcp
US 8.8.8.8:53 umarmira055.duckdns.org udp
SE 46.246.82.67:7031 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\adobe.js

MD5 294f1f4ee9bd1a410379ccc7430c7a69
SHA1 02436fc31c5fa37c3735dcff0f450c20e302e7a2
SHA256 f0cc3f5f26302ba2cd290d11052a42b4adc5401b953439d49723b666ac100187
SHA512 8a87e29348ef3bd4c1847a65ef9ffabedba4f51504512819df396123d90e7bf8e1b3e7edb1e4e33419a8d309e47cbaa2f7c3a9f387f6d987cedc4e048d479abd

C:\Users\Admin\AppData\Local\Temp\RDo.exe

MD5 7e54eec2d10957178e6410ba1c899c21
SHA1 9f79b7ef7b24933b0b106a387fbf5834863dbc78
SHA256 d7d374d650d362b4a859f526189cda7ecdef9b0ee60267a1c65c3a9e1bcfd0f8
SHA512 e7cec2a67334c72e6476adb53bcb6de575f7c9513a49f0be7a7f6fb00b23ac070335b734631f024c411293cb09d0faa89bf7017837d65f5188884eabf853dd17

memory/2752-20-0x0000000000840000-0x0000000000852000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\word.js

MD5 33d6e875441823e698ea8b8c4739dfd4
SHA1 a446695785e38522c923a5340e43c236ac332616
SHA256 32e6e9765b2e1e18699fdcc2817137b22f893457e2a10ae3f66081dd58f811ce
SHA512 633a462dba83497be30c969c1c637f144e1ff2bc741687326a53604bce93dd80af12acb49e546942978a2e629d6811b8612cd1362af5d41921ddae59b38977d2

C:\Users\Admin\AppData\Local\Temp\tmpFF26.tmp.bat

MD5 ac30a36d9712a0a29fa32a084b58bb75
SHA1 c2c0e70b4bc32f4f86b355f49963276b22dd886d
SHA256 87b0d3ff05b3df23043b7d2f1dabce9c8369fb87d653e1126513470e36fbe3a3
SHA512 b52664de261aa4b7073e97a0a52261a43af41c196686b9c59ed25e93898b1d1f044f7a56b873b87916e02db82fb5b0ff7de589adb8a2719b4cb1000f1a6896d1

memory/1708-33-0x0000000000F20000-0x0000000000F32000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-18 21:41

Reported

2025-03-18 21:43

Platform

win10v2004-20250314-en

Max time kernel

148s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-984486-895432.js

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

WSHRAT

trojan wshrat

Wshrat family

wshrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" C:\Windows\System32\wscript.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings C:\Windows\system32\wscript.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/3/2025|JavaScript N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1560 wrote to memory of 4704 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1560 wrote to memory of 4704 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1560 wrote to memory of 4472 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1560 wrote to memory of 4472 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 4704 wrote to memory of 4584 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 4704 wrote to memory of 4584 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 4472 wrote to memory of 4476 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\RDo.exe
PID 4472 wrote to memory of 4476 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\RDo.exe
PID 4472 wrote to memory of 4476 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\RDo.exe
PID 4476 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 1396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2084 wrote to memory of 1396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2084 wrote to memory of 1396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1176 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1176 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1176 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1176 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
PID 1176 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
PID 1176 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-984486-895432.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\word.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\adobe.js"

C:\Users\Admin\AppData\Local\Temp\RDo.exe

"C:\Users\Admin\AppData\Local\Temp\RDo.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB1BC.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 chongmei33.myddns.rocks udp
SE 46.246.82.67:7044 chongmei33.myddns.rocks tcp
SE 46.246.82.67:7044 chongmei33.myddns.rocks tcp
SE 46.246.82.67:7044 chongmei33.myddns.rocks tcp
US 8.8.8.8:53 umarmira055.duckdns.org udp
SE 46.246.82.67:7031 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.35:80 c.pki.goog tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp
SE 46.246.82.67:7044 umarmira055.duckdns.org tcp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js

MD5 294f1f4ee9bd1a410379ccc7430c7a69
SHA1 02436fc31c5fa37c3735dcff0f450c20e302e7a2
SHA256 f0cc3f5f26302ba2cd290d11052a42b4adc5401b953439d49723b666ac100187
SHA512 8a87e29348ef3bd4c1847a65ef9ffabedba4f51504512819df396123d90e7bf8e1b3e7edb1e4e33419a8d309e47cbaa2f7c3a9f387f6d987cedc4e048d479abd

C:\Users\Admin\AppData\Local\Temp\RDo.exe

MD5 7e54eec2d10957178e6410ba1c899c21
SHA1 9f79b7ef7b24933b0b106a387fbf5834863dbc78
SHA256 d7d374d650d362b4a859f526189cda7ecdef9b0ee60267a1c65c3a9e1bcfd0f8
SHA512 e7cec2a67334c72e6476adb53bcb6de575f7c9513a49f0be7a7f6fb00b23ac070335b734631f024c411293cb09d0faa89bf7017837d65f5188884eabf853dd17

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4476-25-0x0000000000F60000-0x0000000000F72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\word.js

MD5 33d6e875441823e698ea8b8c4739dfd4
SHA1 a446695785e38522c923a5340e43c236ac332616
SHA256 32e6e9765b2e1e18699fdcc2817137b22f893457e2a10ae3f66081dd58f811ce
SHA512 633a462dba83497be30c969c1c637f144e1ff2bc741687326a53604bce93dd80af12acb49e546942978a2e629d6811b8612cd1362af5d41921ddae59b38977d2

memory/4476-26-0x0000000005970000-0x0000000005A0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB1BC.tmp.bat

MD5 810b3f8a10e6b655d18aec18349736f9
SHA1 3c7d472839b226f6ba4c70e14976a2857db7a1a4
SHA256 2d270ed4d1c629b396183b551c276757505981702e8ab3c8f1154799212c2beb
SHA512 dfb9c5d943f84fe453051fc20291ed7b91511d7a4f418ee92c08c834138033b8de1e1e3b9428eb97adac86ec14904627e2e667b41e6821fa9a23a9ad30e301a9

memory/1320-38-0x0000000004D30000-0x0000000004D96000-memory.dmp

memory/1320-37-0x0000000005270000-0x0000000005814000-memory.dmp